rlm_eap: SSL error

James Lever j at jamver.id.au
Thu Jan 18 07:45:29 CET 2007 

On 17/01/2007, at 4:47 PM, Alan DeKok wrote:

> James Lever wrote:
>> Wed Jan 17 08:00:11 2007 : Error:     TLS_accept:error in SSLv3 read
>> client certificate A
>   That just means there's no client certificate.

Interesting given I'm only allowing EAP-TLS access to my wireless LAN  
(or attempting to)

Below is the log output when run in full debugging (excerpt)

--
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
   eaptls_verify returned 7
   rlm_eap_tls: Done initial handshake
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0be8], Certificate
chain-depth=1,
error=0
--> User-Name = clientCN
--> BUF-Name = :30 2007 : Info: Ready to process requests.
--> subject = /C=AU/issuerDN
--> issuer  = /C=AU/issuerDN
--> verify return:1
radius_xlat:  'clientCN'
     rlm_eap_tls: checking certificate CN (clientCN) with xlat'ed  
value (clientCN)
chain-depth=0,
error=0
--> User-Name = clientCN
--> BUF-Name = clientCN
--> subject = /C=AU/clientDN
--> issuer  = /C=AU/issuerDN
--> verify return:1
     TLS_accept: SSLv3 read client certificate A
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
     TLS_accept: SSLv3 read client key exchange A
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify
     TLS_accept: SSLv3 read certificate verify A
   rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
     TLS_accept: SSLv3 read finished A
   rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
     TLS_accept: SSLv3 write change cipher spec A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
     TLS_accept: SSLv3 write finished A
     TLS_accept: SSLv3 flush data
     (other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
--

When I try to do the same with a Certificate from another CA it fails  
as expected.  So why does the EAP-TLS login work even though it  
complains that no certificate was received?  Is the certificate  
actually validated and hence there really was no error, or is  
FreeRADIUS or OpenSSL authorising where it should not?

cheers,
James

More information about the Freeradius-Users mailing list